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What is claimed is: 



1 1. A method comprising: 

2 establishing a global zone in an operating system environment controlled by a single 

3 operating system kernel instance; 

4 establishing at least one non-global zone; 

5 selectively limiting at least one of visibility and access by processes associated with 

6 the global zone to objects within the global zone and select objects within at 

7 least one non-global zone; and 

8 limiting visibility and access by processes associated with each non-global zone to 

9 objects within that non-global zone. 

1 2. The method of claim 1, wherein visibility and access for processes associated with the 

2 global zone defaults to objects within the global zone, the method further comprising: 

3 receiving a request from a requesting process associated with the global zone for at 

4 least one of visibility and access to an object in a non-global zone; 

5 determining whether the requesting process is authorized for the requested at least 

6 one of visibility and access; and 

7 if the requesting process is authorized, selectively changing at least one of visibility 

8 and access for the requesting process in accordance with the request. 

1 3. The method of claim 1, wherein access for processes associated with the global zone 

2 defaults to objects within the global zone and visibility for processes associated with 
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3 the global zone defaults to objects within the global zone and objects within at least 

4 one non-global zone, the method further comprising: 

5 receiving a request from a requesting process associated with the global zone for 

6 access to an object in a non-global zone; 

7 if the requesting process is authorized, selectively changing access of the requesting 

8 process in accordance with the request. 

1 4. The method of claim 3, wherein the request comprises a request for an additional 

2 privilege. 

1 5. The method of claim 3, wherein a first process obtains access to objects within the 

2 global zone and a second process obtains access to objects within the global zone and 

3 at least one non-global zone; and wherein: 

4 the global zone is enabled to provide at least one of a default environment and a 

5 system wide administrative environment. 

1 6. The method of claim 1, the method further comprising: 

2 receiving an identifier indicating a zone selected from at least one of the global zone 

3 and an non-global zone; and 

4 mounting file system resources comprising processes to be executed in the zone 

5 indicated by the identifier to a portion of a file system associated with the 

6 zone indicated by the identifier; 

7 thereby enabling the processes of the file system resources to obtain at least one of 

8 visibility and access to objects within the zone corresponding to the identifier. 
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1 7. The method of claim 6, wherein the file system resources are mounted to a 

2 subdirectory of a root directory of a portion of a file system associated with the zone 

3 indicated by the identifier; 

4 thereby enabling processes expecting a tree like directory structure to execute within 

5 the zone indicated by the identifier. 

1 8. The method of claim 6, further comprising: 

2 enabling select processes to be visible to all other processes in the global zone and the 

3 non-global zone. 

1 9. The method of claim 1, wherein file system resources comprise processes to be 

2 executed in any zone, the method further comprising: 

3 receiving a request by a requesting process to access processes in the file system 

4 resources; and 

5 limiting access to processes in the file system resources based upon the requesting 

6 process' relationship with a zone indicated in the request; 

7 thereby enabling the processes of the file system resources to obtain at least one of 

8 visibility and access to objects within the zone corresponding to the identifier. 

1 10. The method of claim 1 , further comprising: 

2 providing information about the zone with which a process is associated based upon 

3 identity of a requesting process and relationship between the requesting 

4 process and the zone. 
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1 11. A computer based method for managing resources in a single kernel instance 

2 operating system, the method comprising the steps of: 

3 creating a global zone and at least one non-global zone; 

4 permitting processes of the global zone to view and access objects in the global zone 

5 and view objects in non-global zones; 

6 permitting processes of the non-global zone to view and access objects only in the 

7 non-global zone; and 

8 selectively permitting upon authorized request, a process of the global zone to access 

9 objects in a non-global zone. 

1 12. The method of claim 11, wherein a first process obtains access to objects within the 

2 global zone and a second process obtains access to objects within the global zone and 

3 at least one non-global zone: 

4 thereby enabling the global zone to provide at least one of a default environment and 

5 a system wide administrative environment. 

1 13. A computer readable medium, comprising: 

2 instructions for causing one or more processors to establish a global zone; 

3 instructions for causing one or more processors to establish at least one non-global 

4 zone; 

5 instructions for causing one or more processors to selectively limit at least one of 

6 visibility and access by processes associated with the global zone to objects 
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within the global zone and select objects within at least one non-global zone; 
and 

instructions for causing one or more processors to limit visibility and access by 

processes associated with each non-global zone to objects within that non- 
global zone; 

wherein the global zone and the at least one non-global zone exist concurrently in an 
operating system controlled by a single kernel instance. 

The computer readable medium of claim 13, wherein visibility and access for 
processes associated with the global zone defaults to objects within the global zone, 
and wherein the instructions for causing one or more processors to process comprise: 
instructions for causing one or more processors to receive a request from a requesting 

process associated with the global zone for at least one of visibility and access 

to an object in an non-global zone; 
instructions for causing one or more processors to determine whether the requesting 

process is authorized for the requested at least one of visibility and access; and 
instructions for causing one or more processors to selectively change at least one of 

visibility and access for the requesting process in accordance with the request, 

if the requesting process is authorized. 

The computer readable medium of claim 13, wherein access for processes associated 
with the global zone defaults to objects within the global zone and visibility for 
processes associated with the global zone defaults to objects within the global zone 
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4 and objects within at least one non-global zone, and wherein the instructions for 

5 causing one or more processors to process comprise: 

6 instructions for causing one or more processors to receive a request from a requesting 

7 process associated with the global zone for access to an object in an non- 

8 global zone; and 

9 instructions for causing one or more processors to selectively change access of the 

10 requesting process in accordance with the request, if the requesting process is 

1 1 authorized. 

1 16. The computer readable medium of claim 15, wherein the request comprises a request 

2 for an additional privilege. 

1 17. The computer readable medium of claim 15, wherein a first process obtains access to 

2 objects within that global zone exclusively and a second process obtains access to 

3 objects within the global zone and at least one non-global zone, thereby enabling: 

4 the global zone to provide at least one of a default environment and a system wide 

5 administrative environment. 

1 18. The computer readable medium of claim 13, wherein the instructions for causing one 

2 or more processors to process comprise: 

3 instructions for causing one or more processors to receive an identifier indicating a 

4 zone selected from at least one of the global zone and an non-global zone; and 
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instructions for causing one or more processors to mount file system resources 

comprising processes to be executed in the zone indicated by the identifier to 
a portion of a file system associated with the zone indicated by the identifier. 

The computer readable medium of claim 18, wherein the file system resources are 
mounted to a subdirectory of a root directory of a portion of a file system associated 
with the zone indicated by the identifier; 

thereby enabling processes expecting a tree like directory structure to execute within 
the zone indicated by the identifier. 

The computer readable medium of claim 18, wherein the instructions for causing one 
or more processors to process comprise: 

instructions for causing one or more processors to enable select processes to be 
visible to all other processes in the global zone and the non-global zone. 

The computer readable medium of claim 13, wherein file system resources comprise 
processes to be executed in any zone, and wherein the instructions for causing one or 
more processors to process comprise; 

instructions for causing one or more processors to receive a request by a requesting 

process to access processes in the file system resources; 
instructions for causing one or more processors to limit access to processes in the file 

system resources based upon a requesting process' relationship with a zone 

indicated in the request. 
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1 22. The computer readable medium of claim 13, wherein the instructions for causing one 

2 or more processors to process comprise: 

3 instructions for causing one or more processors to provide information about the zone 

4 with which a process is associated based upon identity of a requesting process 

5 and relationship between the requesting process and the zone. 

1 23. A computer readable medium, comprising: 

2 instructions for causing one or more processors to create a global zone and at least 

3 one non-global zone within an operating system controlled by a single kernel 

4 instance; 

5 instructions for causing one or more processors to permit processes of the global zone 

6 to view and access objects in the global zone and view objects in non-global 

7 zones; 

8 instructions for causing one or more processors to permit processes of the non-global 

9 zone to view and access objects only in the non-global zone; and 

10 instructions for causing one or more processors to selectively permit upon authorized 

1 1 request, a process of the global zone to access objects in a non-global zone. 

1 24. The computer readable medium of claim 23, wherein a first process obtains access to 

2 objects within the global zone and a second process obtains access to objects within 

3 the global zone and at least one non-global zone: 

4 thereby enabling the global zone to provide at least one of a default environment and 

5 a system wide administrative environment. 
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1 25. An apparatus, comprising: 

2 a means for establishing a global zone; 

3 a means for establishing at least one non-global zone; 

4 a means for selectively limiting at least one of visibility and access by processes 

5 associated with the global zone to objects within the global zone and select 

6 objects within at least one non-global zone; and 

7 a means for limiting visibility and access by processes associated with each non- 

8 global zone to objects within that zone. 

1 26. An apparatus, comprising: 

2 a means for creating a first zone and a second zone, wherein the first zone and the 

3 second zone exist concurrently in an operating system controlled by a single 

4 kernel instance; and 

5 a means for selectively permitting: 

6 access by processes associated with the first zone to computational entities 

7 associated with the first zone; 

8 access by certain ones of processes associated with the first zone to 

9 computational entities associated with the second zone; and 

10 access by processes associated with the second zone exclusively to 

1 1 computational entities associated with the second zone. 

1 27. A system, comprising: 

2 a processor; and 
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a memory connected with the processor, and operative to hold at least one of a 
plurality of program processes, including: 
instructions for providing an operating system; 

instructions for establishing and managing a plurality of zones within the 

operating system under control of a single kernel instance, including: 
instructions for creating a global zone and at least one non-global zone; 
instructions for permitting processes attached to the global zone to view and 

access objects in the global zone and view objects in non-global zones; 
instructions for permitting processes attached to the non-global zone to view 

and access objects only in the non-global zone; and 
instructions for selectively permitting upon authorized request, a process 

attached to the global zone to access objects in a non-global zone. 
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